JRuby Hash Collision Denial Of Service Vulnerability

Bugtraq ID:	51233
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2011-4838
Remote:	Yes
Local:	No
Published:	Nov 02 2011 12:00AM
Updated:	Jul 31 2012 04:31PM
Credit:	Alexander Klink, n.runs AG and Julian Wälde, Technische Universität Darmstadt
Vulnerable:	JRuby JRuby 1.6.5 JRuby JRuby 1.4.1 JRuby JRuby 1.4.0 JBoss Group JBooss Enterprise SOA Platform 5.1.2 Gentoo Linux Check Point Software Security Gateways 0 Check Point Software Integrity 7.0 Check Point Software Integrity 6.0 Check Point Software Integrity 5.0 Check Point Software Endpoint Security 8.0 Check Point Software Endpoint Security 7.0 Check Point Software Connectra Appliances 0
Not Vulnerable:	JRuby JRuby 1.6.5.1

JRuby Hash Collision Denial Of Service Vulnerability

JRuby is prone to a denial-of-service vulnerability.

An attacker can exploit this issue by sending specially crafted forms in HTTP POST requests.

Successful exploits will allow attackers to cause a denial-of-service condition.

Versions prior to 1.6.5.1 are vulnerable.

JRuby Hash Collision Denial Of Service Vulnerability

An attacker can use readily available tools to exploit this issue.

JRuby Hash Collision Denial Of Service Vulnerability

Solution:
Updates are available. Please see the references for more details.

JRuby Hash Collision Denial Of Service Vulnerability

References:

• JRuby Homepage (JRuby)
  
• n.runs-SA-2011.004 28-Dec-2011 (n.runs AG)
  
• Vulnerability Note VU#903934 Hash table implementations vulnerable to algorithmi (US-CERT)
  
• #2011-003 multiple implementations denial-of-service via hash algorithm collisio (oCERT)